What are you spending on information security? What percentage of your spending on cybersecurity tools is on legacy vendors, and what percentage is on newer technology?
For us, our spending has continued to increase for information security over the past three years while our overall technology spending has remained flat. This area and the new data technologies have been the growth areas for us. In terms of legacy vendors versus newer technology, we have introduced a number of new technologies as the investment, and innovation in information security solutions has really provided an impressive list of new entrants. There continues to be strong investment and a significant amount of innovation, but the focus of tools has shifted from protection — which was deemed insufficient — to faster detection and remediation capabilities. These have become a priority, for them and for us.
The vector is still up on spending. CEOs and boards have to give their tech leadership the notion and impression of carte blanche: “What can you trade off to make room in the budget?” It was a trend in the past — that new vendors will lower your costs and that technology costs can go down. That’s not the case with information security. There is much more capability, but the overall spend is going up.
Have you quantified the cost if you lost data and/or IP to a cyber attack, and have you compared that to your cybersecurity spend?
There are a number of reports available today that quantify the average cost of a cybercrime breach. For example, the latest report commissioned by IBM pegged the 2015 consolidated average cost at $3.8 million. There are a few law firms that specialize in supporting boards and companies that have been breached and they believe the number is higher than the number stated in IBM report. For example one law reported the average to be $7 million. I think understanding the costs up front and having a dialogue with your board will help prepare everyone to assess the right mixture of investment in the information security function, the amount of insurance needed and the business risk the firm is willing to take.
There continues to be strong investment and a significant amount of innovation, but the focus of tools has shifted from protection — which was deemed insufficient — to faster detection and remediation capabilities
The long-term brand or reputation costs from a breach seem to be the most difficult to quantify and model.
How do you assess the company’s risk? Do you know how many endpoints the network has and how do you control them?
Orion is right, and in addition to knowing the number of endpoints, you have to have the tools to be able to understand what is happening on those endpoints. What software versions are installed, what is changing, what is being added. So, to assess risk, the board should be satisfied that the management team has the tools and team to inventory and monitor the company’s dynamic set of end points. The final area to assess is the management team’s ability to respond to an emerging risk to the environment. How quickly can it remediate once vulnerability is known?
What is the company’s response plan in the event of a major data loss?
We primarily manage response with internal resources. I think third party vendors are a valid resource when you buy a company — you need help quickly understanding the risk of a potential acquisition. Otherwise, you have to be careful that you don’t over-rely on outsiders because you think you’re better protected than you actually are. Nasdaq has a 24/7, co-located security operations center with global network operations center.
What’s our insurance status? Do we have coverage against losses from a cyber attack? How broad is it?
I think the act of buying cyber insurance is a worthwhile exercise for management to engage in and report back to the board. It is proactive and opens a healthy dialogue about the potential costs of a breach and forces a company to understand their specific types of risks from a breach. As with any type of insurance, the level of the deductible and the limitations on coverage can illuminate better uses of the funds, such as improved cyber security tools and staff. Whether the answer is more insurance or more investment in the information security function, assessing the level of insurance protection should be recurring annual process.
There isn’t a perfect solution, but better solutions. They may be expensive, but most companies have underinvested and they are playing catch up. We all know what we’re supposed to be doing. Unmanaged assets, inventory….we were supposed to be doing this the whole time.
Is our security team able to get all the intelligence they need from third parties? Can they effectively use that data to manage or ameliorate threats?
We are unique because we’re regulated and considered critical infrastructure, so Nasdaq coordinates very closely with government partners like the Department of Homeland Security, FBI and other government agencies. We also subscribe to the leading commercial threat vulnerability notification services to round out our intelligence.